Posted
by
samzenpus
on Wednesday April 02, 2014 @09:05PM
from the get-to-learning dept.

chicksdaddy (814965) writes "The Internet of Things has tremendous potential but also poses a tremendous risk if the underlying security of Internet of Things devices is not taken into account, according to Vint Cerf, Google's Internet Evangelist. Cerf, speaking in a public Google Hangout (video) on Wednesday, said that he's tremendously excited about the possibilities of an Internet of billions of connected objects. But Cerf warned that it necessitates big changes in the way that software is written. Securing the data stored on those devices and exchanged between them represents a challenge to the field of computer science – one that the nation's universities need to start addressing. Internet of Things products need to do a better job managing access control and use strong authentication to secure communications between devices."

This. A thousand times This. I have been in meetings where security has explicitly been regarded as irrelevant, where one way encrypting passwords from plaintext on the client is irrelevant, and where we can trust our employees to always do the right thing with all of our users passwords, and "what could they do with the passwords that is outside of our irrelevant application" was bandied around the room as acceptable.

They should not be teaching the importance of such things to CS students, but much rather to the MBA's and BBus students. It's not the knowledge of the need for security amongst those that build, but the desire to pay for it from Management.

Nail, head, hit. Even if someone had a device that had obvious security failings that were unfixable, the EULA/TOS by opening it up and turning it on would ensure that lawsuits would not proceed (either by forcing arbitration, or just a clause stating that it isn't their fault, no matter what.)

I have no interest in IoT. Realistically, what has to be on the Internet all the time and take commands? Why do we need to give devices full exposure if it isn't needed?

If someone wants status messages from devices, why not just have devices communicate via BlueTooth to a log box, and said log box present the data to where it needs to go? This would force an intruder to have to hack that core box, then use BlueTooth weaknesses to jump to actual devices, rather than just run scripts blindly and hope someone's widget shows up.

You need to fix your consumer laws so you are not dominated by tyrannical EULAs.

In the UK the law is quite clear. All products must be fit for purpose. If a router has security features (like a password to access the management interface, or a firewall) it must work in a typical home environment where the router was intended to be used. No EULA can change that, or take away your legal right to redress.

If three years after buying the router there is a security hole discovered and the manufacturer does not fi

I know a student in UCF, who is in CS102(? - he called it CS 2) who didn't even know what a cryptographic function was. Had _never_ heard of the term "md5", "bcrypt", etc. And he's about to get his CS degree. I don't know what in hell they're teaching these kids, but it sure isn't computer science. Most of the work he's shown me, has been reimplementing bubble sort and the like...

No thanks. I don't want to be responsible for intractable problems. Security is one of those. See, in this situation the programmers would be the ones canned over any security flaw, regardless whether it's due to programming or misuse by the customer.

Cleaning toilets is starting to sound like a great job these days. It sure beats cleaning up peoples digital toilets...err computers and networks.

The best way to be safe from the internet of things is not to have unneeded connectivity. Anything else is a risk.

College is about learning theory and how to apply it, it isn't a vocational program.

When you have a $100k bill to pay off that you can't escape through bankruptcy, you'd better have some way to pay it off. When you have a trillion dollar debt problem based upon this (see previous slashdot headlines) you have what they call a "real problem."

What you say is a nice sentiment. It's a sentiment that was only valid 40 years ago, when a summer job every year could pay for tuition at Northeastern.

It is also preposterous to not teach the concepts of security for devices connected to hostile environments (i.e., every network ever), and networking is not a "fad." The only people that thought that the Internet and networking in general for "the great unwashed" were fads were "futurists" like Cliff Stoll who were wildly wrong in 1995.

You teach core and theory and you apply it to whatever the current fad is.

He's not really saying that CompSci programmes should be tailored for Internet of Things. What he's saying indirectly but perfectly clearly to those who are aware of the appalling state of networking security in recent years is that university-level tuition needs to buck up and face the music, because the people they have been releasing into the field are totally inept at designing secure systems. The hundreds of thousands of security problems spread right across the whole Internet speak for themselves.

It's a very important message, and hopefully it will resonate with more than a few CompSci departments. IoT is just being used as an excuse for releasing a high-profile message from a respected person about the very unsatisfactory state of developer competence in the area of secure systems.

Regarding your second point about education versus vocational training, you are right about that, but secure software design and cryptogtaphy are not subjects for vocational training, but very strongly in the domain of CompSci. You have to understand the fundamentals, not just know which functions to call.

Personally i think that you miss the point. It's not about security in the real world, it's about the economics of security. No manufacturer will put an advanced security system into dirt cheap consumable devices. It is a joke to even consider iot for most stuff. It's an '80s fantasy that just has no economical value if applied as blindly as the idea suggests.One of the mayor benefit of a structure like iot is agencies can spy on everything more easily. The question is why we should consider this to be some

That's a false premise. You ASSUME that computer science program is responsible for the lack of security in products because they don't teach security. The fact is businesses that build these products do not promote security because it will cost money. Do you honestly think that some guy who graduates with a CS degree is responsible? Put another way, where do all these security experts get their training?

embedded connected devices aren't a fad...but you know what is a fad? slapping an IoT sticker on things when trying to find startup funding.

that's why the so called reporter/journalist in this case slapped it under that label, because he is a fad seeking ahole incapable of writing actual news or opinion pieces so he mismatches someone else's comments into an opinion piece that ends up being incoherent.

Maybe, but it's high time that when it comes to teaching Networking, IPv6 starts replacing IPv4 as the taught protocol, so that it gets applied more going forward, and does not tie newer graduates to older technology that's hit its limits ages ago

Your sock drawer would know how many time each sock has been fucked, it would alert your washer to wash two cycles instead of one, it could tell your fridge to order more detergent since it's in charge of the grocery list and it could buy more sexy lingerie on Amazon for your girlfriend since you're obviously ignoring her physical needs.

What exactly are the upsides of having my fridge, toaster, microwave oven, sock drawer or fork connected to the internet?

Well a smart oven can be set to cook your meal when you hit a button on an app before you head home. A smart fridge can keep track of what food you have when it expires what you use then compile meal plans and grocery lists add to it a link to your smart bathroom scale, and smart shoes to measue the amount of physical activity you have throughout the day and it it opens up dynamic dieting meal plans. A houses light and sound system could detect what room you are in and turn on and off lights and speakers as

I'll never trust a smart cooking appliance. You never know if there's going to be a sudden traffic surge or be in an accident. Good luck burning your house down. That's aside from the fact that you'll have to leave the food in the oven hours beforehand (robotic oven/fridge is still too expensive). Many foods don't do well sitting out uncooked and there's always the possibility of forgetting that you didn't put food in (in-oven camera would fix that).

I question the need to connect if it is truly automated, but I think I understand what you are getting at. (jumping to your third para)

What I see as a goal is a 'master computer' controlling your home, and applicable contents.You communicate with the Home Computer, and then it controls the individual appliences and equipment. (fully automated)

So you are connected to the home comp and communicating your commands to it, and it takes things from there.

What exactly are the upsides of having my fridge, toaster, microwave oven, sock drawer or fork connected to the internet?

Well a smart oven can be set to cook your meal when you hit a button on an app before you head home. A smart fridge can keep track of what food you have when it expires what you use then compile meal plans and grocery lists add to it a link to your smart bathroom scale, and smart shoes to measue the amount of physical activity you have throughout the day and it it opens up dynamic dieting meal plans. A houses light and sound system could detect what room you are in and turn on and off lights and speakers as you enter/leave. Given time I could come up with more applications but those were just the first ones to pop into my head.

You'd have to prepare the meal before hand and hope there's only one cooking step.Fine if you're doing boxed dinners, but useless if you want to actually cook anything.

A smart fridge won't know when milk's gone sour before the date or when yogurt and cheese are still good a month after the date. Nor will they have a way to read the damned date on any of the brands I like. I sure as hell am not typing (or touching, or speaking) that shit in to the fridge. Nor would such a smart fridge need to be connected

You would have to cook your meal before leaving or at the least prepare it and leave it to cook ; check it when you're away to see that it doesn't get burned or not cooked enough, you can adjust time or temperature. Then let it sit and cool off for hours.. Just before you come back you can turn on low heat to make it warm again. Pretty limited..Remote control can be used at home too but really, why not walk to the friggin'g oven!

On the plus side, I will spy on your oven's content, remotely deactivate your a

There was a character in a (new series) Outer Limits episode who survived by doing exactly that - he learned to hack building management and lived free at a a futuristic apartment complex by stealing a little food here and there - adding an item to someone's grocery order and intercepting it on delivery, living in the maintenance spaces. The invisible parasite.

You'd have to prepare the meal before hand and hope there's only one cooking step.Fine if you're doing boxed dinners, but useless if you want to actually cook anything.

A smart fridge won't know when milk's gone sour before the date or when yogurt and cheese are still good a month after the date. Nor will they have a way to read the damned date on any of the brands I like. I sure as hell am not typing (or touching, or speaking) that shit in to the fridge. Nor would such a smart fridge need to be connected to the internet

As to it not being able to know what is in it without you manually entering the data have you.ever heard of bar codes? You can put a hell of a lot of stuff in qr codes. As for knowing that something went bad soon just mark it as bad or gone if something isn't bad at experation click the not bad button that adds a week

What exactly are the upsides of having my fridge, toaster, microwave oven, sock drawer or fork connected to the internet?

It's so BigBrother.com. can sell you things that break down faster. It enables BigBrother.gov to come up with more reasons to oppress you in various ways. Oh, upside for you? None, slave. Now get back to producing crap people don't need and buying crap you don't want, or we may decide to audit your taxes, or bust down your door with a S.W.A.T. raid or something.

Some things, though not all, make sense to be connected to the internet. Like your home security system. Or your garage door opener. Let's say the spouse is locked out and doesn't have the key, & calls you while you're watching a movie. A few buttons on the cellphone, and the garage door is opened. Or you are told that you've driven off w/o closing the garage door. Done w/o driving back. You remember that you've forgotten to turn off the oven while setting the quiche? Done from wherever you are.

If you give your sock drawer access to the internet, it will hack it's way into the means to put the Large Hadron Collider into turbo boost overdrive, all in order to rip the fabric of space-time to open a portal into Demon Murphy's demension/domain(of Murphy's Law infamy), have a Massive Black Hole FedEx'd into our solar system, and Earth would get sucked into Demon Murphy's Domain, making Hell look like Paradise.

True, all of the Internet of Things functionality could be replaced by machines having an open interface and open specifications, controlled by a central computer which may or may not be connected to the internet. But the great thing about doing it distributed is that now manufacturers can charge extra for each "smart" device. That's what's driving the Internet of Things.

My Internet-enabled fridge needs to be developed using proper security procedures which are ummm.... not applicable to any other field such as SCADA or medical database systems that are already in place. Who's smoking the crack here, the journalists or Cerf? I'm betting it's the journalists and that he's misquoted and/or being quoted out of context. Too lazy to RTFA of course...

Its bad enough that mobile phones and tablets are forced into early obsolescence (I have 2 perfectly viable Transformer Prime Infinity tablets, they're awesome...they just don't get updated anymore. Yes, in that particular case its easy for me to flash in a custom ROM, and I do that, but thats not easy for the average joe, and its not nearly as easy across all devices).

When its a phone its one thing...freagin waste, but at least they're mostly cheap-ish, contract or not. A fridge? A washer/dryer? A car? Sma

Only appliances with a valid support contract and maintenance agreement are entitled to receive firmware upgrades. Appliances without either of those, or that have been transferred to a third party without the authorization of the vendor or a licensed reseller are inelligble.

The most explosive *recorded* invention in the history of mankind was the printing press.

And it set Europe on fire.

But this led to the Renaissance.

You can't put the genie back in the bottle.

What is going on now with the internet and mobile devices and communication in general --- like the printing press or like radio or television --- is going to upset the status quo in 57 different ways.

Embrace these ways, understand how they will be used for good (yes --- if you think citizens are upset, just imagine how upset tyrants and governments are --- people in power hate change) ----

Communication advances always causes flowers to bloom --- any heartache always looks dumb and old fashioned in a decade of hindsight, because it yields new freedoms and rights that were never expected. If you doubt this, why do civil right continue to grow and governments to ever more tend to the welfare of their people?

I'm pretty sure the internet (and computers in general) has topped the printing press in that way.

In less than half a century, the Internet has gone from invention to be widely used in every nation on earth with more than a 3rd of the world's population* actively using it. The printing press, while wildly popular and transformative did not have nearly this level of adoption and impact.

You are right in how transformative the printing press was, and a great example of how we can expect the Internet to continu

Communication advances always causes flowers to bloom --- any heartache always looks dumb and old fashioned in a decade of hindsight, because it yields new freedoms and rights that were never expected. If you doubt this, why do civil right continue to grow and governments to ever more tend to the welfare of their people?

Huh?The biggest advance that I've seen in communication is revelations that the NSA and its sister agencies around the globe have been spying on all the new freedoms that were never expected.How's that for civil rights continuing to grow?

The most explosive *recorded* invention in the history of mankind was the printing press.

You can't put the genie back in the bottle.

What is going on now with the internet and mobile devices and communication in general --- like the printing press or like radio or television --- is going to upset the status quo in 57 different ways.

Cost of global communication has already dropped to the point of saturation in much of the world. With low hanging fruits already plucked wouldn't hold my breath on disruptive change arriving anytime soon.

I expect to see a lot of crap with questionable or negative value prop so I will not be blindly embracing anything.

Cultural change takes time. Just look at the backlash - how many countries have set up elaborate internet filtering systems in an effort to keep out ideas they regard as dangerous to their society? And how well are those filters working? The biggest barrier to international communication now is language, and Google is working hard on that one.

I reject, fundamentally, the idea that 'The Internet of Things' means that every device in one's home should outwardly face the Internet. There is plenty of opportunity for layering. An IP enabled refrigerator can be connected to the internet through some far more secure routing device.

Security zoning functionality and monitoring technology for security purposes needs to see far, far more development than it does at present. Perhaps there are entities and forces out there that don't want us to have secur

"the internet of things" is a reductive concept. It's an unnecessary abstraction layer that just puts more barriers between the programmer and the device. We should be **getting rid of** concepts like this in CS not adding them...

For far too long, computing has been about desktops and servers. Smartphones and tablets opened it up slightly

Yeah...just like Telegraph machines "became" telephones...and a whole ***new way of communicating*** was invented!

You sound like a salesman...like a TED Talk...or maybe a "tech evangelist"

First, we don't need to invent a new word to describe "sea change"...the words "sea change" or any number of synonymous phrases used daily work just fine.

2nd, computing has ****never**** been about "just desktops and servers"

3rd, your understanding of "computing" is fundamentally incorrect

we design devices to accomplish user tasks...we use all available technology (and maybe invent some new stuff) mitigated by cost

"the internet of things" is just a B.S. marketing way to say "making devices that use updated technology to its fullest"

stop it...just stop forever...there is absolutely no reason to ever say the words "the internet of things"...or "connectivity meme"....they are redundant concepts that conjure abstractions needlessly so people who don't understand technology can think they sound smart

Unless you're calling mainframes servers, you seem to be ignoring the most basic, oldest and (until very recently) the most extensive application of computers: doing masses of calculations for business in house.

Computer Science has absolutely NOTHING TO DO WITH ANY INTERNET, of "things" or otherwise.

Computer Science needs to change its name so everyone that thinks they know what a computer is can stuff it up their ass. Because CS has nothing to do with computers, and nothing at all to do with software or programming. The "Computer" in "Computer Science" is not, I repeat, is not synonymous with the thing you call "computer" that's on your desk or lap. It means simply "calculator," i.e. one who calculates, or, precisely, that which computes, or to make it really simple for them, that which reckons. They should call it Reckoner Science. Then no one would be confused, no one would fantacize about studying it (because they just love their computer!!) when they go off to college in a year or so, and HR morons would stop requiring CS degreed Windows Administrators or help desk monkeys because that is ridiculous. Mechanics don't need Mechanical Engineering degrees, Nurses don't need an M.D., and corporate america does not need specialized mathematicians furiously installing java browser plugin security updates on all the machines on their network. Think of Computer Sciece as math... then you'll understand how stupid everyone sounds when they say anything about Computer Science. Be a programmer if you want. Programmers do not need a Computer Science degree, or any degree for that matter.

I'm just going put this here:

Computer Science [wikipedia.org] (abbreviated CS or CompSci) is the scientific and practical approach to computation and its applications. It is the systematic study of the feasibility, structure, expression, and mechanization of the methodicalprocesses (or algorithms) that underlie the acquisition, representation, processing, storage, communication of, andaccess to information, whether such information is encoded as bits in a computer memory or transcribed engines and protein structures in a human cell. A computer scientist specializes in the theory of computation and the design of computational systems

Understanding the impact of how the future world of always-on, always-available, omnipresent computing interacts at a high theoretical level is not programming and absolutely does belong in the realm of science of computing.

This isn't the realm of code monkeys, and I agree that's not what CS should teach. However, the theory of systems and interactions should be taught.

Where does researching AI, machine learning, or organic networks fall in your narrow definition? CS is maturing as a science and researching

Computer Science has absolutely NOTHING TO DO WITH ANY INTERNET, of "things" or otherwise.

Between you and Vint Cerf, I'm going to guess that he actually does understand Computer Science, and that you didn't understand what he said.

Also, the internet of things? That fits right in the definition of CS you have there, under "practical approach to computation and its applications." You should have read it, instead of just putting it there.

I've seen this argument quite a bit, that Computer Science is a really just a branch of applied mathematics, that it is unnecessary for programmers and so on. Sure, it could be viewed that way, but it is ignoring a lot of the history of how the discipline developed.

The first CS programs always had an applied component. It was not just math and proofs. There was (and still is) math, but there was a lot of engineering from the start. When Ivan Sutherland started the field of computer graphics, it wasn't just

So far as it goes, what he says is true: this 'internet of things' will represent a major challenge to secure and problem if not secured; further, if the present state of security tells us anything, we sure as hell aren't prepared for it, much less what we do right now.

Fundamentally, though, treating it as a 'security' problem is making a dangerous and conceptually limiting mistake. "Security" ensures that a system operates as intended, provides only the access and capabilities intended to various parties, and so on. It Does Not specify who those parties are. Bad news, kids, based on everything we've seen so far, and how everything that was bad on the internet is even worse on 'mobile' and so on, do you really think that even perfect security would do much more than keep small-time criminals from inconveniencing 'respectable' advertisers and subscription-service pushers?

Unless you think that cellphones were some sort of abberation, totally different from everything else because, um, reasons; 'internet of things' is just a polite way of saying "EULAs, crypto bootloaders, 'consumer behavioral marketing', and who knows what else, baked into every device large enough to support some kind of NIC".

Yes, Cerf is correct in that having the 'internet of things' work out slightly better than "Hey, let's sell SCADA to home users!" would be a pretty good idea; but that's not even close to good enough. 'Security' just means that the wishes of the system creater are being followed. Do you think those wishes will be to your benefit?

I think Vint gets that, and is speaking to the higher level and using "security" as an abstract generalization.

For example, the web was explicitly developed as a "pull" technology with declarative linking by reference with public visibility. Understanding the impact of that to how you build a security model governing access presents unique challenge. By comparison, Usenet is the opposite. It's essentially a syndicated push technology, more similar to a broadcast publishing method. As a result, the security model for how people gain access to resources, and what talks to what, is handled in a very different way.

Those are just two examples of content on today's general Internet which is an extension of Vint's work. When he talks about the Internet of Things, he doesn't merely mean the fad of sticking a web browser on a toaster. He's talking about the bigger vision of omnipresent computing and direct interaction of common devices to each other. Much like the Internet (specifically TCP/IP and DNS) was conceived as a way for computers to directly talk to each other (not going through a centralized hierarchy for approval and redistribution). We learned a lot of great lessons about how it would be used, the shortcoming, and the security ramifications. Now that we're in the fledgling stages of doing the same thing for a whole new are of automation and computing, there's great opportunity to think about and apply the lessons learned.

I certainly hope he does, and he's definitely sharp enough to have a better-than-average chance of doing so. I think I've just gotten a bit jumpy about this sort of talk about 'security' since the whole electronic voting machines issue showed up (and, um, never actually went away, not that you'd know that by looking). Even some people I think of as atypically clueful and competent focused on the (genuinely alarming and sometimes downright comical) security flaws in the various early systems, and paid no app

A friend told me he wishes for the crapper's flush to be linked to the coffee pot. Smart algorithms will detect his habit of taking a crap on the morning and then preparing coffee, so flushing the toilet should trigger coffee brewing on the right hour ranges, and if the pot is not full of coffee already. Taking a dump is a proxy for presence detection, but also for the intent of drinking coffee.I suggested that the powers-that-be will spy on him by detecting droppings falling into the water as well as analy

The "Internet of Things" is, I think, driven mainly by manufacturers who want people to have an excuse to buy their new thing, which everybody already has, and works fine. Maybe universities should be teaching smartwatch programming too!

No. Universities should teach programming and technology basics. If corporations want to try to convince us all that we need an Internet-connected stapler, they aren't going to go looking for university graduates that have an IoT degree! They'll figure it out all on thei

Right after people learn to break up their code into actual functions instead of the standard multi-thousand line long garbage. Oh and of course give everything meaningful names. Can't forget to tell people to actually check their warnings ETC. (I'm sure everyone here that's a programmer/SE/developer can easily expand on all the crazy shit they've seen people do which would come way before this.)

Apparently what the Internet needs most is yet another buzzword so nebulous, context free and ill defined nobody really understands what it is your talking about.

If "Internet of things" means home automation the technology has been around for decades yet remains a small niche market. "you can..." scenarios are fun and cool and functional and all yet tend to impart very little useful value to the owner. I don't need or want Internet connected thermostats, light bulbs and toasters. As for security we can't even communicate securely. Email, Telephone/SMS are wholly insecure and trivially spoofed by anyone. Securing a mythical buzzword is not a problem I chose to spend my time perusing.

The problem is not that use cases don't exist the problem is those use cases are mostly weak, irrelevant and otherwise impart very little actual value on the user.

For instance having your thermostat aware of when the fridge is cycling on and off can allow it to determine the best time to run the ac for the most energy efficiency.

Maximizing cycle length of AC is the only thing that will save you any cooling energy short of living with higher temperatures. Complex calculations / appliance coordination are not necessary to predict the future a simple PID loop in t-stat has same effect.

Also if you are really energy conscious and live in an area where heat pumps make sense se

Apart from a few technology companies here and there, does anyone really want the "Internet of Things"? I have yet to hear someone say, "Gosh, I wish my washing machine were internet-capable". Yes, I understand that tech firms can come up with all sorts of scenarios where they can try to convince us that this technology will be useful, but what have you really gained with an internet-ready appliance, apart from yet another vehicle for advertisement?